Channels

Services

Security updates break ownCloud installations

The developers of the open source ownCloud storage and collaboration software suite have released version 5.0.3 of their software to fix problems with two earlier security updates. ownCloud version 5.0.1 fixes an SQL injection problem, while version 5.0.2 fixes multiple cross site scripting (XSS) vulnerabilities – at the time of writing, ownCloud has not released details about any of these problems. However, both updates, as well as fixing a number of bugs in addition to the security problems, also include a bug that renders ownCloud installations unusable. The ownCloud developers warn users to not install ownCloud 5.0.1 or 5.0.2 and instead skip straight to version 5.0.3.

According to reports from ownCloud users in the ownCloud Forums and on the project's GitHub site, an update to ownCloud 5.0.1 or 5.0.2 will result in the software activating its maintenance mode and warning that an important database table is missing; at this point, the software will become unusable. One of the affected users has posted a workaround in the ownCloud Forums that involves recreating the affected oc_fscache table and, in the same thread, another user explains how to patch the ownCloud code by hand. After this, ownCloud's maintenance mode can be deactivated. Users who have not run foul of the problem should update their installation directly to 5.0.3.

ownCloud 5.0.3 is the third update to ownCloud 5.0 in 24 hours. According to the ownCloud forums, this latest version should be safe to upgrade to. Users who are using version 5.0 or earlier should update to 5.0.3 as soon as possible because of the SQL injection and XSS holes that are fixed with this update. The community edition of ownCloud 5.0.3 is licensed under the AGPLv3 and can be downloaded free of charge from the ownCloud web site. Its source code is available on GitHub.